> From: James Morris <[EMAIL PROTECTED]>
> Date: Thu, 5 Oct 2006 16:54:38 -0400 (EDT)
>
> > > #ifdef CONFIG_XFRM_SUB_POLICY
> > > pol = xfrm_policy_lookup_bytype(XFRM_POLICY_TYPE_SUB,
> fl, family, dir);
> > > - if (pol)
> > > + if (IS_ERR(pol)) {
> > > + err = PTR_ERR(pol);
> > > + pol = NULL;
> > > + }
> > > + if (pol || err)
> > > goto end;
> >
> > Similarly, if the sub-policy lookup returns -EACCESS,
> should we then try a
> > main policy lookup before failing?
>
> We're trying to fill the flow cache here. In the case where we'd
> have a match in both the sub-policy and main table, I think the
> sub-policy is supposed to take precedence, and if you fail to get
> this sub-policy you should fail the entire lookup.
Which is what's happening here correct?
>
> The way the sub-policied entries work is that you find the sub-policy
> as the primary object in the flow cache, and once you notice you have
> a sub-policy you do an explicit lookup in the main table to put the
> whole thing together.
May be James can help me understand this; when exactly would a sub-policy
be "notice"d here? What does "put the whole thing together" mean?
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
